Question
What is the purpose of KernelCare? Do I ever need to reboot my server again?
Answer
A common misconception of KernelCare is that you never have to reboot the server again because these programs patch the kernel. This is only half-true.
The purpose of services like KernelCare is that they pull in new kernel updates and apply them by injecting patches into the memory space of the actively loaded kernel. This effectively applies critical updates from the kernel as soon as they're available, such as stability or security patches, among other things.
While the kernel itself becomes patched in memory, the whole of the new kernel is not being loaded. KernelCare is meant to be a stopgap between kernel updates and server reboots. It allows you to schedule reboots for a convenient time of the week or month, such as during a scheduled maintenance window advertised to clients. Even though you're waiting for potentially weeks to reboot, kernel-level patches are applied in real-time.
When a binary is updated on the server through a yum update, whether that be a binary supplied by the kernel package or provided through any number of other packages (MySQL, Apache, SSH, Exim etc), the new binary itself isn't loaded until that service is restarted. cPanel's Security Center will compare signature data of the running binary compared to the binary on disk. If they don't match, then the binary has changed since the last restart.
For most services, they're restarted as a part of the RPM's post-scripts, for others they can simply be restarted when convenient to apply any changes.
But for some core, low-level components such as init/systemd, the only true way to fully load updates into memory is to reboot the operating system entirely.
So a reboot should still be done from time to time to fully install a new kernel or any updated binaries.
Comments
0 comments
Article is closed for comments.